Spammers are always on the lookout for new ways to disguise themselves on the way into your inbox, and recently they've found a new trick that lets them leverage the most trusted brand on the internet - Google. Specifically, they are hiding behind Google's language translation services.
Now you probably wouldn't click on this, (although someone must be clicking on them because these spammers show no signs of giving up.) The thing is, for pharmacy spammers, getting clicks is battle number 2. Battle number 1 is just getting the spam into your inbox, and that's where this spam gets interesting.
So the link looks like it goes to google.com. You might think nothing bad could happen there, but what page is this link asking to translate?
What you see here is the URL encoded representation of y.ahoo.it - a URL shortener offered by the fine folks at Yahoo. URL encoding this domain makes it harder for a program examining the initial message to determine the ultimate destination of the link.
Clicking on the link sends us to Google translate. Google translate fetches the shortened URL and follows it to playandstudy.org, a hacked wordpress-based website in France. Playandstudy.org returns Russian text that translates to "Redirected to the requested page..." and Google translate displays that on it's page in an iframe.
Once this text is displayed, Google translate then executes code from playandstudy.org that manages to break out out of the iframe and redirect the browser to the ultimate landing page, a rogue pharmacy website. The complete traffic is shown here...
We've tested many of these links in the lab, and it appears that Google may be implementing code that defeats framebusting, but our tests are inconclusive. Some links now redirect to google.com, while others still redirect to pharmacy sites. We certainly hope this technique is not discovered by malware distributors.
In any case, it's worthwhile to know that spammers are taking these extreme steps to hide what they're doing, and no matter how good your spam filtering solution you have to be especially aware of emailed links. In short, don't click on them.
No Replies
|
Forum
|